The CISO Playbook

for Cloud Security

5 Strategies to Navigate Your

Evolving Job Description
Table of Contents
The Expanding Role of the CISO 3

#1 : Build Champions 4

#2: Establish Trust with Development 9

#3: Empower Developers to Secure Their Applications 11

#4: Invest in Data and Automation 14

#5: Automate Compliance as Much as Possible 15

The CISO Playbook for Cloud Security 2

The Expanding Role of the CISO
The traditional role of the chief information security officer (CISO) has always been to design cybersecurity
strategies that protect data and minimize an organization’s risk profile. Should an event occur, the CISO was
responsible for incident response procedures to limit exposure, loss, and unnecessary downtime. Ah… the good
old days.

Make no mistake: The CISO is still on the hook for all those obligations. But as companies continue to adopt
cloud technologies, CISOs face new challenges. Migrating data and securing critical workloads in the cloud is
no joke. CISOs still have to fulfill their traditional responsibilities, but the list of to-dos (and skills to learn) seems
to grow by the day.

This playbook offers five “big rocks’’ that will help CISOs build a leadership role that endures through ever-
changing job descriptions. These strategic initiatives will lay the foundation for a security organization that fosters
trust among departments while building productive cloud architectures that:

Speed the execution and Embrace automation and

accuracy of code increase operational efficiency

Prioritize risk and mitigate

Achieve continuous compliance
threats faster

The CISO Playbook for Cloud Security 3

#1: Build Champions
Cloud security can be extremely challenging. To be
successful, CISOs must gain buy-in from executives
across several domains, including risk, privacy,
compliance, security, development, and technology.
Organizations must understand that providing
complete cloud protection against modern threats
could require deep operational change. But the day-
to-day change starts with a shift in mindset.

Change can be scary, but it’s essential. This presents

an opportunity for the CISO to reassure business
leaders that, if implemented correctly, processes
won’t be disrupted, data and applications will be
protected, and a collaborative environment that
enables the organization to drive secure innovation at
scale will be established.

The CISO Playbook for Cloud Security 4

Benefits Will Bring Buyers to the Table
To gain support, focus on each team’s biggest Focus on the biggest
motivators and demonstrate how they can benefit
from a secure cloud architecture. Research motivators for each team
indicates that CTOs (or CIOs), CEOs, and boards of and demonstrate how they
directors play the biggest roles in influencing annual
cybersecurity budgets.1 As such, we’ve created
can benefit from a secure
a quick cheat sheet to help you convey the value cloud architecture.
drivers that matter most to these key individuals and
others across your organization.

CEO Conversation tip

Drivers Explain in non-technical terms how a secure

cloud architecture can promote business growth,
§ Business growth and profitability
accelerate the release of new services, and expand
§ Competitive advantage an organization’s reach into untapped markets
and regions. In addition, highlight that in today’s
§ Reputation and brand competitive landscape, employees have choices. It’s
essential to create an inclusive culture using modern
§ Risk management
architecture and tools to attract and retain top talent,
§ Compliance and governance which in turn helps drive innovation and revenue.

The CISO Playbook for Cloud Security 5

CFO/Compliance CTO
Drivers Drivers

§ Financial performance § Technological innovation

§ Risk management § Scalability

§ Return on investment § Security

§ Operational efficiency § Reliability

§ Business strategy § Cost optimization

Conversation tip Conversation tip

Emphasize the cost savings achieved through Highlight the opportunities for IT to have access to
efficient cloud security tooling versus relying stronger data to make better-informed decisions and
on more traditional tools that require excessive drive better business outcomes. IT can partner with
headcount and resources to manage and maintain. security to drive secure innovation for cost-effective,
In addition, regulatory concerns are top of mind for functional products and services that generate
CFOs and risk and compliance officers. However, additional revenue streams. By using the cloud
keeping up with diverse regulatory requirements and securely, CTOs can cut costs and help development
audit requests can be overwhelming. Demonstrate teams build more quickly. This teamwork provides a
how cloud compliance monitoring across multiple competitive advantage for the business and helps
environments can ensure builds and running cloud create a culture of collaboration.
services meet compliance requirements and that this
starts during development.

The CISO Playbook for Cloud Security 6

Head of Development The Board of Directors
Drivers Drivers

§ Collaboration and communication § Financial performance

§ Scalability and performance § Risk management

§ Streamlining security and development § Corporate strategy

§ Corporate governance
Conversation tip
§ Shareholder value
Center your conversation on how innovation,
paired with security, is critical to the success of the
business. Development teams need an architecture Conversation tip

that enables them to focus on building code rather

Without getting into the specifics (yet), start the
than constantly tweaking or fixing it to be secure. In
conversation with how the board plays a critical
today’s market, development teams must be able to
role in ensuring that the organization is adequately
move quickly and produce within an environment that
protected. Discuss how this is particularly important
scales and integrates security into the build pipeline.
in light of new government regulations that are
Enabling developers to fix security issues during
surfacing across the globe. The conversation should
the build process improves productivity and builds
focus on how, with the emergence of modern threats,
relationships between security and developers.
cybersecurity can no longer be an isolated entity
within the organization but should impact every part
of the company. This holistic approach is necessary
Innovation, paired with security, is
to ensure the business delivers the best value for
critical to the success of the business.
shareholders and stakeholders.

The CISO Playbook for Cloud Security 7

“We increased our level of confidence with the
information coming out of Lacework FortiCNAPP
and were able to give management and senior
leadership assurance that we had the cloud
environment under control.”
– John Turner, Senior Security Architect, LendingTree

8
#2: Establish Trust with Development
In a fast-paced environment, trust between security and development teams is critical. Unfortunately, developers
often perceive security teams as a roadblock to innovation or as fast as a snail. Security teams, not surprisingly,
believe that developers go rogue, bypass security, and skip steps that introduce risk. And the research bears
this out. According to the Ponemon Institute, 71% of security analysts say developers don’t care about the need
to secure applications while they’re in development, and 53% said that the developers they worked with viewed
security as a hindrance to productivity.2

However, the truth is that these two teams are critical for each other’s success, and CISOs should prioritize
efforts to build relationships between them. Again, it begins with a change of mindset. Make conscious
efforts to overcome preconceived notions that security can only come at the cost of speed. According to
the same Ponemon research, both teams feel increasing pressure to hit their goals, producing applications
quickly and maintaining data security. Establish that achieving both of these simultaneously is not only
possible but within reach.

Trust between security and development teams begins with

a change of mindset.

The CISO Playbook for Cloud Security 9

Trust between these two teams is earned, not given.
As such, leaders must create an environment for
teams that sets them up for mutual success. CISOs
can help by selecting well-integrated tools that
foster collaboration and eliminate inefficiencies. By
integrating security earlier into the development
process, utilizing tools with shared workflows,
and prioritizing required fixes based on risk to the
business, leaders can align teams and build trust.

Developers won’t waste time patching code in

irrelevant vulnerabilities, and security will be able to
reduce the volume of alerts that bog them down.
Together, they can prioritize work, reduce noise, and
get products to market securely and efficiently.

“Our DevOps engineers saw

Lacework FortiCNAPP in action
and fell in love. They couldn’t
believe it was so simple.”
– David Ramsay, COO, DECTA

The CISO Playbook for Cloud Security 10

#3: Empower Developers This approach is never as effective as integrating
security into the cloud platform from the start. With
to Secure Their Applications a solid cloud security architecture, businesses can
confidently take advantage of the cloud’s benefits—
This point is closely related to the prior “big rock” agility, efficiency, and scale—while mitigating threats
but is nevertheless important enough to stand on its and vulnerabilities. CISOs should invest in processes
own. Once developer trust is earned and nurtured, and tooling that allow them to shift left, meaning
begin empowering those developers by seamlessly they integrate security capabilities earlier in the
incorporating security into their processes. This will technology process, commonly called DevSecOps.
reduce the time and cost of fixing issues once in a Incorporating security into IaC tooling and continuous
production environment and partially solve your lean integration/continuous delivery (CI/CD) pipelines
security team’s bandwidth issues. can automate the integration of code changes from
multiple developers into a single codebase and enable
Recently, the adoption of Infrastructure-as-Code developers to enact security without being security
(IaC) has reached critical mass. Some research by experts. It also empowers developers to fix security
the Enterprise Strategy Group (ESG) found that more issues during the build process, preventing delays
than two-thirds of organizations currently utilize during production and strengthening the relationship
IaC templates and the momentum will only continue between security and development.
to grow. But, too often, cloud architects focus
3

entirely on performance, forgetting about exposure

to risks and threats until it’s too late. The same
More than two-thirds
ESG research indicated that, while IaC adoption is
of organizations
increasing, so are the misconfigurations. In fact, 83% 69% currently utilize IaC
of respondents indicated that they’ve experienced
an uptick in IaC misconfigurations. templates.

The CISO Playbook for Cloud Security 11

You may have hesitations about offloading some
security responsibilities to developer teams, but In ESG’s research,
your fears of pushback are largely unfounded.
99% of surveyed
In ESG’s research, 99% of surveyed developers 99% developers indicated
indicated some degree of comfort with increased
security involvement, with 83% indicating that they some degree
were either mostly or completely comfortable. With of comfort with
limited staff and resources, investing in security increased security
controls reduces resource burdens, increases
involvement.
operational efficiency, and helps resolve issues during
development, not production.

The CISO Playbook for Cloud Security 12

#4: Invest in Data and of your data individually, only a platform approach
that accomplishes these functions in aggregate
Automation can consider all of your security data and draw
correlations between these data points in one place.
Your cloud environment is full of data—data that’s
Within a single platform, automated data analysis can
tied to your business, your business applications, your
enable more efficient ways to accomplish traditional
cloud infrastructure, and any security signals. The list
use cases. For example, composite alert analysis allows
goes on and on. That’s a lot of data to ingest, analyze,
organizations to identify compromises in cloud entities
secure, and act upon. Yet, many cloud security
for early and automatic detection of an active attack.
efficiencies rest on taking all the cloud data within
Automation that uses behavioral and anomaly detection
your environment, finding meaningful connections,
can quickly spot patterns to surface, analyze, and
and acting upon those insights. But that, of course,
prioritize the risk to your business so you never miss a
takes time that security teams simply do not have.
critical alert.
With automation, CISOs have the opportunity to keep
Automation can be a lifesaver for understaffed
up with this growing data set and align the cost of
security teams. The icing on the cake is the ability
tools and people with measurable security outcomes.
to centrally manage that data with development and
Understanding your cloud data and acting upon operations teams to improve collaboration and speed
it quickly is essential to reduce risks and make mitigation within a single platform.
smarter decisions that grow the business. Modern
security tools can employ automation to help you
understand your cloud data; however, analysts have Automation improves productivity,
agreed that the best approach to use your data most security efficacy, and teamwork
effectively is through a single security platform.4 between security and development.
While multiple security solutions may help make sense

The CISO Playbook for Cloud Security 13

#5: Automate Compliance Enter compliance. Compliance is like laundry;
it’s never going away. In fact, regulations seem
as Much as Possible to be increasing in size and scope globally while
teams and budgets are shrinking or stagnating.
In the hit novel The Phoenix Project, the authors Audit requests will continue, distracting your lean
discuss the four types of IT work. The fourth type, team from strategic, high-value work. This friction
the dreaded “unplanned work,” consists of incidents presents an opportunity for CISOs to streamline
or requests generated by others, which almost workflows, automate tedious processes, and achieve
always prevents you from achieving your goals. compliance faster. As a result, CISOs can help their
Unfortunately, for security professionals, unplanned organizations gain a competitive advantage by
work is all too familiar. employing automation to open doors to revenue
streams in new regions and markets.
According to the authors, the key to managing
unplanned work is to avoid it whenever possible. CISOs should look for tools that continuously monitor
While some unplanned security work cannot be their environments, automate evidence gathering,
avoided, it can be automated. and streamline reporting to keep up with the constant
requests from clients, partners, auditors, and
regulators. This automation can cut costs and reduce
“With the reports generated by errors often associated with manual approaches.
Lacework FortiCNAPP, we can CISOs can simplify assessing posture and measuring

easily see what resources are compliance with PCI, HIPAA, NIST, ISO 27001, and
SOC 2 policies. By choosing tools that integrate with
compliant, what resources are not
existing workflows, CISOs can enable their teams
compliant, and what we need to do to spot issues quickly and be confident they are
to achieve compliance.” protecting their company from liability, fines, and
additional costs.

The CISO Playbook for Cloud Security 14

Conclusion
CISOs have the tools to strengthen their influence, create teamwork, and dispel the perception of security as a
cost center. The key to success is to build bridges among all stakeholders and design a secure cloud architecture
that enables growth, speeds innovation, and ensures compliance with regulations.

Fortinet’s Lacework FortiCNAPP platform provides a solution for security teams, developers, operations, and
executives to collaborate in proactively securing cloud environments at scale. Our platform enables teams to
discover and fix misconfigurations and vulnerabilities, meet compliance, and identify any malicious activity with
continuous visibility from build to runtime.

Access more resources and move from playbook to playmaker.

Get started at fortinet.com/cloud.

1
NewtonX Current, Cybersecurity in 2022: Business Outlook and Key Trends, September, 2021.
2
Ponemon Institute, The Need to Close the Cultural Divide between Application Security and Developers, September, 2020.
3
Enterprise Strategy Group, Walking the Line: GitOps and Shift Left Security, August, 2022.
4
Gartner, Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPP), April 24, 2023.

www.fortinet.com
Copyright © 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s SVP Legal and above, with a
purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute
clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer,
or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

August 6, 2024 10:07 PM / 2805512-0-0-EN